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Abstract 

We investigate the bit-search type irregular decimation algorithms that are used within LFSR-based stream ciphers. In particular, 
we concentrate on BSG and ABSG, and consider two different setups for the analysis. In the first case, the input is assumed to be 

■ a m-sequence; we show that all possible output sequences can be classified into two sets, each of which is characterized by the 
equivalence of their elements up to shifts. Furthermore, we prove that the cardinality of each of these sets is equal to the period 
of one of its elements and subsequently derive the first known bounds on the expected output period (assuming that no subperiods 

■ exist). In the second setup, we work in a probabilistic framework and assume that the input sequence is evenly distributed 
(i.e., independent identically distributed Bernoulli process with probability 1/2). Under these assumptions, we derive closed-form 

' expressions for the distribution of the output length and the output rate, which is shown to be asymptotically Gaussian-distributed 

\ and concentrated around the mean with exponential tightness. 

\Q ' Index Terms 

Irregular decimation algorithms, bit-search type generators, BSG, ABSG, statistical properties, period, output rate, asymptotic 
' distributions. 

^) ■ I. Introduction 

c/3 , Within symmetric key encryption, there are two main classes of schemes: Block ciphers and stream ciphers. As far as stream 
ciphers are concerned, the usage of linear feedback shift registers (LFSRs) as the main building block is quite common in 
practice because of the implementation efficiency, speed and good statistical properties of the output. It is well-known that 
the cryptanalysis of LFSRs is of polynomial complexity due to their linearity properties [1]. Therefore, it is essential to bring 
additional non-linearities to the LFSR outputs in order to enhance the security of the resulting system. One such approach 
includes applying irregular decimation techniques to the LFSR output [2], [3], [4], [5]. Such techniques may render several 
t^*) ■ conventional attacks useless, such as algebraic attacks, which are known to be one of the most effective attack algorithms 
P\| ' designed against LFSR-based stream ciphers. We use the term "decimation-type algorithms" to denote algorithms that use 
, irregular decimation techniques. 

Shrinking [4] and self-shrinking generators (SSG) [5] are two important examples of this class; in the literature, they are 
known to be "pioneering" algorithms that employ the idea of "decimation". SSG is very simple and efficient in terms of 
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^ ' hardware implementation; furthermore, its security against known attacks makes it one of the most popular state-of-the-art 
• • , decimation-type algorithms [6], [7], [8]. In SSG, the main idea is to split the input bitstream into blocks of length-2 and 
. — ' produce the output bit stream as a function of the first bit of the input blocks. 

Bit-search generator (BSG) [2] and its subsequent variant ABSG [3] are relatively newer techniques, which also qualify as 
^ ' decimation-type algorithms. In contrast with SSG, the approach in bit-search type methods is to "look for" particular patterns of 
variable lengths in order to produce an output bit; the type of the particular mapping that operates on the input which produces 
the output stream determines the difference between BSG and ABSG. A detailed comparison between ABSG and BSG is 
given in [3]. ABSG and BSG have the same asymptotic output rate, which can be shown to be better than SSG. Moreover, it 
has been shown in [9] that, against most known attacks, ABSG is the "best" choice among a wide class of decimation-type 
algorithms in the sense of known attack complexities. Therefore, we believe that ABSG is worth investigating further, which 
basically forms the essence of this paper. 

Focus of the paper: As far as stream ciphers are concerned, characterization of rate and periodicity is of fundamental 
significance. Qualitatively, the "rate" (i.e., output rate) of a decimation-type algorithm is defined as the reciprocal of the 
number of input bits to produce one bit of output, on average. Therefore, the rate of a decimation-type algorithm directly 
determines the efficiency of the resulting stream cipher. Next, it is well-known that (e.g., see [10]) the "period" (i.e., output 
period) of a LFSR-based stream cipher is required to be large as a necessary condition for the security of the system Q. In 
this paper, we focus on the analytical quantification of rate and periodicity of bit-search type generators, namely BSG [2] and 
ABSG [3]. 
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Prior results: In [2], the authors have intuitively argued that the asymptotic rate of the BSG algorithm is 1/3. Moreover, based 
on experimental evidence, they have conjectured that, for m-sequences (i.e., maximal-length LFSR outputs which have been 
generated using a primitive feedback polynomial [1]), BSG algorithm produces exactly two types of output sequences in terms 
of their periods, namely with approximate periods of T/3 and 2T/3. Further, based on this observation, they have argued 
that the average resulting period is always T/2. In [3], based on the assumption that the input sequence is a realization i.i.d. 
(independent identically distributed) Bernoulli process with probability 1/2 (i.e., the input sequence is "evenly distributed"), 
the authors have also mentioned that the expected output rate is 1/3. Arguments about the output period of ABSG, which are 
similar to the ones presented in [2] are also mentioned in [3]. 

Our contribution: We derive analytical results on the rate and periodicity properties of BSG and ABSG algorithms in 
deterministic and probabilistic setups: 

• Deterministic Setup: In this case, we assume that the input sequence is a m-sequence. 

- We prove that both BSG and ABSG produce exactly two types of output sequences with respect to their periods. In 
particular, the set of output sequences is given as the union of two disjoint sets; within each one of these sets, the 
elements are equivalent to each other up to shifts. 

- We show that the cardinality of each one of the aforementioned two sets is equal to the period of any element included 
in that set. Using this result, we derive the first known bounds on the expected period of the output sequence of BSG 
and ABSG algorithms under the assumption that no subperiods exist. 

• Probabilistic Setup: In this framework, we assume that the input sequence is a realization of an i.i.d. Bernoulli process 
with probability 1/2. 

- Given the length of the input sequence (say N), we derive a closed form expression for the distribution of the length 
of the output sequence produced by BSG and ABSG algorithms. Using this result, we analytically derive output rates 
of both algorithms. 

- Moreover, we prove that, the aforementioned distribution converges to a Gaussian distribution with the mean and 
variance of N/3 and 2N/27, respectively, which, in return, implies that the concentration around the mean is 
exponentially tight. As a result we show that output rate is exponentially concentrated around 1/3. 

The organization of the paper is as follows. In Section HJ the notation used in the paper and definitions of BSG and ABSG 
algorithms are given. In Section [TTTJ we derive fundamental properties of BSG and ABSG algorithms related to the periodicity 
under the assumption that the input is a m-sequence. In Section IIVI we investigate the probabilistic behavior of BSG and 
ABSG assuming that the input is evenly distributed. The paper concludes with discussions given in Section [V] 

II. Notation and Background 

In this section we introduce the notation we follow throughout the paper and give basic definitions about BSG and ABSG 
algorithms. 

A. Notation 

Boldface letters denote vectors; regular letters with subscripts denote individual elements of vectors. Furthermore, capital 
letters represent random variables and lowercase letters denote individual realizations of the corresponding random variable. 
For instance, let A 6 R N denote a length-iV random vector. In that case, Aj (which is a random variable) represents the 
i entry of A; a G is a particular realization of A and similarly a% represents the i th entry of a. Also, the sequence 
of (ai,a,2, . . . ,cln) is compactly represented by a^. We use the notation of (a, i) to denote the i-shifted version of a; i.e., 
defining a = (a, i), we have <z„ = a n+ i for all n, i > 0. Furthermore, given a^, such that a, € {ci, C2, . . . c^}, 1 < i < N, 
we define W Ci (a^) — YljLi ley=c«> where 1 denotes the standard indicator function. 

B. Description of BSG and ABSG 

Both BSG and ABSG are algorithms, which are based on taking output of a pseudo-random number generator (PRNG) 
(e.g., LFSR) as their input, and constructing the output by irregularly decimating the input sequence. In the discussions below, 
let x = (xi, X2, ■ ■ ■) denote the input sequence to these algorithms. 

Such an arbitrary input bit stream x can be partitioned into non-overlapping blocks of the form &, 6 2 , 6, where i > 0, 
b 6 {0, 1}, and b denotes the complement of the bit b. This partitioning is the common first step in both BSG and ABSG. The 
difference between them arises from the output bit generation mechanism once the partitioning is done. In case of BSG, an 
output bit is produced via XOK ing the first two bits of the corresponding input block, which is of the form b,b l ,b, where 
i > 0. Clearly, this implies that if i = (resp, i > 0), then the corresponding output bit is (resp. 1). In case of ABSG, the 
output bit is the second bit of the corresponding block in the input sequence; in other words, given an input block b,b l ,b, 
where i > 0, the output bit is b (resp. b) if i — (resp. i > 0). 
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Toy Example: Suppose we are given the input bit stream 

x= (1,0, 1,0, 1,1, 0,0, 1,0, 1,1, 1,0, 0,0, 0,1, 0,0, 1,1, 0,1,0, 1,0, 0,1,0, 1,1,0). 

• Partitioning: After the partitioning is done using the aforementioned rule, we have the following blocks: 

{(1,0,1), (0,1, 1,0), (0,1,0), (1,1), (1,0, 0,0, 0,1), (0,0), (1,1), (0,1,0), (0,1,0), (1,0,0,1), (0,1, 1,0)} 

• Output Bit Generation: 

- BSG: Output bit sequence is (1, 1, 1, 0, 1, 0, 0, 1, 1, 1, 1). 

- ABSG: Output bit sequence is (0, 1, 1, 1, 0, 0, 1, 1, 1, 0, 1). 

Alternatively, BSG and ABSG algorithms can be viewed as two-step algorithms as well. In other words, one can show that 
BSG (resp. ABSG) algorithm is equivalent to the successive application of two algorithms, namely algorithm A and algorithm 
B (resp. C), whose definitions are given below (see Fig. Q]). Although this partitioning is an artificial construction, it provides 
a deeper insight about BSG's and ABSG's statistical properties and ease of operation. 

Remark 2.1: We use algorithm A in order to derive the periodicity properties and output rate results in this paper, so the 
results we find are valid for both BSG and ABSG algorithms. 
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Fig. 1. Block Diagram Representation of BSG and ABSG as two step algorithms. 

Definition 2.1: Input sequence of algorithm A is defined as x = (x\, x 2 , ■ ■ ■), where Xi G {0, 1}. 

Definition 2.2: y = A(x), where y is the internal state of BSG and ABSG algorithms and yi G {0, 0, 1}, 1 < i < N, 
i G Z + . The action of algorithm A is defined via the mapping A4: 

yi = M{yi-i,Xi), l<i<N, ieZ+, 

with the initial condition yo = 0. The mapping Ai is given in Table J] [2]. 

TABLE I 

Transition Table of algorithm A 
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Remark 2.2: BSG and ABSG algorithms produce an output bit at time instant i if and only if y,; = 0. 
Definition 2.3: z = B(y), where z is the output sequence of BSG algorithm; such that, action of algorithm B is given as 
follows: 

0, if yi = and y^ 2 = 

1, if yi = and y,_ 2 ^ 

where j < i and i,j E Z + . 

Definition 2.4: z — C(y) where z, is the output sequence of ABSG algorithm; such that, action of algorithm C is given as 
follows: 

Vi-i, if Vi = and y { - 2 = 
y~i-i, if yi = and yt- 2 ^ 

where j < i and i,j G Z + . 

Remark 2.3: One can show that B (A (x)) (resp. C (A (x))) is equivalent to the BSG (resp. ABSG) algorithm; to see this, 
we refer the interested reader to [2], [3], where yi is referred to as the "state" of the algorithm at time i. 

Definition 2.5: Given the input x'^j and the state yi at some time i (i G N), we use (■. ■) to denote the equivalent 
mapping of applying M. (•, •) j successive times beginning from time i + 1 to the input (xi+i, 2^+2, ■ ■ ■ Hence, we 

recursively define 

M j (;/,.x;;;) - M (>!' (^x'+f 1 ) ,x l+J ) , 3 e Z+ (1) 
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where M 1 (y 4 ,x*+J) = M {yi,x i+x ) = y l+1 , i E N. 

Definition 2.6: We define S as the set of all possible ordered state values at a specific time: 

S = {(0, 0, 1) T , (0, 1, 0) T , (0, 0, if , (0, 1, 0) T , (1, 0, 0) T , (1, 0, 0) T } . 

For any a E S, a (k) 6 {0, 0, 1} denotes the fc-th element of a, 1 < fc < 3. 

Definition 2.7: Using time z 6 N as the reference point, given the input x*^{ 6 {0, 1} J and the possible ordered state values 
£ S at time i, the vector of ordered states at time i + j is denoted by s j 3 E S, j E 7L + , where 





M 3 




H , 




-i+j 
s i J = 


M 3 ' 


fc(2),xt 


f-i' 
f-i , 






M 3 


(s? (3) ,4 


hi' 





Remark 2.4: We use the convention of = s/ for all j e N. Also, note that, for all i, j, is a function of both x*^j 
and Si, but this dependency is not explicitly specified in the notation for the sake of convenience. 
Definition 2.8: We define the mapping 

M 3 •) : S x {0, l} 1 .— » 5, 

such that, for all t e N, j e Z+, 
where is given in ©. 

Remark 2.5: One way to interpret the mapping M. 3 (•, ■) is to view it as a permutation on s*i as a function of x**{. In 
particular, beginning from time i > 0, given the input x£Tj, .M J produces 3 which is a permuted version of s*j G S. Hence, 
for fixed input x (of length-j), A4^> is a permutation (for all j). Next, recall that the set of all permutations on 3 letters forms 
a group under composition of mappings; in algebra, this is a well-known group, called the "symmetric group of degree 3" 
and denoted by S3, which is of cardinality 3! = 6 and known to be non-abelian [11]. We heavily use this interpretation in the 
proofs of the some of the results presented in the subsequent section^. 

Definition 2.9: Given an input sequence x (of length-j), the permutation order of the corresponding mapping M.i (-,x) : 
S 1— » S is the order of the corresponding permutation in ^3 [11]. 

Note that, given a length-j input x and some s E S on which operates, 

• the permutation order of M? is 1 if it is the identity mapping, 

• the permutation order of is 2 if it swaps two elements of s and preserves the location of the remaining element, 

• the permutation order of M.^ is 3 if it changes the locations of all 3 elements of s. 

We have completed defining basic concepts about BSG and ABSG algorithms; in the subsequent sections, we derive some 
fundamental properties of BSG and ABSG algorithms related to the rate and periodicity. 

III. Deterministic Setup 

In this section, we analyze the behavior of BSG and ABSG algorithms for the case of m-sequence inputs. We present some 
basic results in Section UlI-AI In section ITH-BI we prove important properties of BSG and ABSG for the case of m-sequence 
inputs, which are used in Section ITlI-CI where upper and lower bounds for the expected periods of BSG and ABSG are derived. 

A. General Properties 

In this part, we state some fundamental results which we frequently use throughout the rest of Section Hill 

Lemma 3.1: Given the state yi at time i, M (yi,Xi+i) is a one-to-one mapping on for all i E N. 

Proof: Lemma [3T1 is clear from the definition of the mapping M, (•, •) given in Table U ■ 

Remark 3.1: From Lemma [3T1 it is obvious that for every distinct input (resp. output) sequence to algorithm A, there is a 
unique output (resp. input) sequence. 

Remark 3.2: Given a length-j input x, the mapping .A/P (-,x) and the corresponding equivalent permutation 9 E S3, we 
have [11] 

• the permutation order of M. 3 is 1 or 3 if and only if 8 is an even permutation, 

• the permutation order of M. 3 is 2 if and only if 9 is an odd permutation. 
Remark 3.3: [11] Given 9,ip E S3, we have 

• if both 9 and ip are even permutations, then both 6 o ip and ip o 9 are even permutations, 

2 In this paper, we employ 53 with a slight abuse in notation: It is customary in algebra to define the symmetric group S3 on pre-defined triplets, whereas 
in this work, the elements of the group ^3 operate on vectors of length-3 which constitute the set S. 
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« if both 9 and ip are odd permutations, then both 6 o ip and ip o 9 are even permutations, 

> if either "9 is odd and ip is even" or "6 is even and ip is odd", then both 9 o ip and ip o 9 are odd permutations. 
Lemma 3.2: Given a length- input x, we have 

1) if N is even, permutation order of M. (',x) is 1 or 3, 

2) if N is odd, permutation order of A4 N (-,x) is 2. 

Proof: First, we recall the mapping M. (y, x) for any x G {0, 1} from TableU Clearly, Table [Qimplies that the permutation 
order of M 1 is 2. Hence, from Remark l3~2l we note that the corresponding permutation in 53 is odd. Next, we analyze the 
mapping Ai 2 (y, x) for any length-2 x G {0, l} 2 in Table ITT1 We conclude that the permutation order of M 2 is 1 or 3. Again, 

TABLE II 
M 2 (y, x) FOR ANY LENGTH-2 X 
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from Remark [32] we note that the corresponding permutation in S3 is even. Next, we define 9 as the permutation in S3 which 
corresponds to the mapping M. N for a fixed input. If N is even, then 9 can be expressed as a product of even permutations, 
which yields an even permutation (Remark |3.31 l. If N is odd, then 9 can be expressed as a product of multiple even permutations 
and a single odd permutation, which yields an odd permutation (Remark l3.3b . Per Remark [3~2l this, in return, implies that the 
permutation order of M. N is 1 or 3 (resp. 2) if N is even (resp. odd). ■ 

Before finishing this section, we state Lemma 13.31 which is heavily used in the proof of Lemma 13.51 Note that, Lemma 13.31 
is originally given in [2]; in this paper, we provide the proof using our notation and setup. 

Lemma 3.3: [2] Given x^ for any i > 1, let Xj., 1 be the fc-shifted version of x\ for some k G {1, 2, . . . , i — 1}. Then, 

[M i (0,4) = M i - k (0,4 +1 )] [M k (0,4) = 0]. (3) 

Proof: First, we prove forward statement. We can express Ai t (0,x\) with the following form: 

X'(0,xl) = M i - k (M k (0,x k ),xi +1 ). 

If M z (0,x\) = .A/P~ fc (0,x J fc+1 ), Remark [3~T1 implies that M k {0,^l) = 0. 
Converse statement of (O is trivial, since 

M i (0,4) = M i - k (M k (0,4),4 +1 ) = M i ~ k (0,x i k+1 ). 

■ 

Next, we proceed with proving results on periodicity properties. 

B. Periodicity Results for Maximal-Length Sequences 

Throughout this section, we assume that x is generated by a length L-LFSR for a given primitive feedback polynomial. 
Hence, x is a m-sequence (maximal length sequence) and one period of it is denoted by , where T — 2 L — 1 is the period 
for a m-sequence [1]. 

Definition 3.1: Given a length L-LFSR, the set of all possible initial states of the form xf , except all zero case, is denoted 
by X = {0,1} L -{0} L . 

Remark 3.4: Obviously, \X\ =T. 

Definition 3.2: y = {y|y = A(x)}, where x is generated by a length-i LFSR, for all xf G X as the initial state. 
Remark 3.5: For every initial state of LFSR, such that xf G X, there exists a unique output [1]. Since \X\ = T, Remark [3~T1 
implies that \y\ =T. 
Definition 3.3: 

yA — {y g y\ VT = 0}, yB — {y g y\ VT + 0}. 

Remark 3.6: Using Definition 13.21 and 13.31 we clearly have 

yAny B = {}, y A uy B = y. 

In other words, J^A and y B are mutually exclusive, collectively exhaustive subsets of 3^- 

In the following proposition, we state some fundamental properties regarding periods of the elements of 3^4 and y B ', recall 
that for algorithm A, we have the initial condition yo = 0. 

Proposition 3.1: 

i) Every y G y A is periodic with T. 
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ii) Every y G y B is periodic with 2T. 
Proof: 

i) First, note that the sequence yf is generated using the input with the initial condition yo = 0. Now, for all y G 3^4, 
we have = 0. Because x is periodic with T, we have x^Tij = x|\ Moreover, since y T T ^ 1 is produced by x T T i _ 1 with 
the initial condition yx = 0, we necessarily have yf^Lj = yf due to the one-to-one property stated in Remark [XT] 
Hence the proof of the first part. 

ii) Given a fixed input x^, we know that the permutation order of A4 T (•, xf ) is 2 since T = 2 L - 1 is odd (Lemma EH). 
Let 9 £ S3 denote the corresponding permutation to M T (-,x^) for fixed x. Since permutation order of hA T is 2, 9 is 
odd (Remark 13.21 ). Next, note that the permutation in S3 corresponding to M T (^-,'x^F +1 j is also equal to 9 since x is 
T-periodic. Now, observe that any odd permutation in S3 is the inverse of itself since if a permutation in S3 is odd this 
means it preserves the location of one element and swaps the locations of the remaining two. This implies 9 o 9 = e, 
where e is the identity element in S3. Hence, M. 2T (s, xf T ) = s for any s 6 S and T-periodic x. Therefore, yxr = 
since yo = per assumption. This, using similar arguments of the proof of part (i), implies that y G y B is always 
2T-periodic. 



Remark 3. 7: As a direct consequence of Remark 13.61 and Proposition 13.11 we observe that given x as input, algorithm A 
generates exactly two kinds of output sequences in terms of their periods, namely the ones with period T and 2T. 

Following lemma is an interesting property of sequences in y B , that will be helpful in the proofs Lemma [3~5l and Lemma [3~6l 

Lemma 3.4: For all y G y B and for all i G {1, 2, . . . , T}, we cannot have (j/j = 0) and (yr+i = 0). 

Proof: Statement is trivially true if i = T, from the definition of y B . Furthermore, since we cannot have y\ = from 
the definition of A4 (•, •), statement is true for i = 1 as well. Next, we consider 1 < i < T and follow proof by contradiction. 
Suppose, the statement is false for some y G 3^b an d some i G {2, 3, . . . , T — 1}, i.e., we have j/j = yx+i = 0- Using this 
and the fact that x is T-periodic, we have 

= V2T = M T ~ l (y T+l: x 2 T T +l+1 ) = M T - 1 (0,x^. +1 ) = M T - 1 (0,xf +1 ) = M T - 1 (y l5 xf +1 ) = y T , 

where we also used the one-to-one property of Ai (■,■). This yields a contradiction since y G and yT / by definition. 

■ 

Lemma 3.5: Given an arbitrary m-sequence x such that y — A (x), 

i) if y G y A , then 

[y k = 0] => [A((x,k))ey A ]; 

ii) if y G ys, then 

[ yj = 0] => [A((x,k))ey B ], 

where k = j mod T. 

Proof: See Appendix U ■ 
Lemma 3.6: 

i) Given an arbitrary m-sequence x such that y = A (x) G y A , and for any given y G y A , there exists a unique k G 
{0, 1, 2, . . . , T - 1} such that y = A ((x, k)) and y k = 0. 

ii) Given an arbitrary m-sequence x such that y = A (x) G y B , and for any given y G y B , there exists a unique k G 
{0, 1, 2, . . . , T - 1} and a unique j G {0, 1, 2, . . . , 2T - 1} such that y = A ((x, k)) and ^ = 0, where j = k mod T. 
Proof: See Appendix ITT1 ■ 

Theorem 3.1: Given an arbitrary m-sequence x such that y = A(x), 

i) if y G Va, then 

^ = {^((x,fc))|2/ fc =0, 0<fc<T}; (4) 

ii) if y G y B , then 

y B = {A ((x, jfe)) \ Vj = 0, < k < T, j ee k mod T} . (5) 



Proof: Part (i) of the theorem is obvious using the first parts of Lemmas 13.51 and 13.61 Likewise, part (ii) of the theorem 
is obvious using the second parts of Lemmas 13.51 and 13.61 ■ 
Remark 3.8: From Theorem 13. II we note the following results: 

i) All y G y A are "properly"-shifted versions of each other. To be more precise, all the y's in y A can be formed by 
"0-shift"ing an arbitrary y r ^ G y A . 



ii) All y G y B are "properly"-shifted versions of each other. To be more precise, all the y's in y B can be formed by 
"0-shift"ing an arbitrary y r ^ G y B . 
Here, a "0-shift" of a sequence y refers to some (y, k) where yj. = 0. 
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The significance of Remark [3781 is the following: we can completely characterize the set in terms of "0-shifts" of any 
y G 3^4 and similarly y B can be completely characterized in terms of "0-shifts" of any y G y B . This point turns out to 
be helpful in deriving results related to cardinalities of y A and y B , which will be investigated nexj§ First, we provide the 
following definition: 

Definition 3.4: 

• Given any y G y A , Ta is the number of 0's within one period; i.e., Ta = W (yf) where y G y A . 

• Given any y G y B , T B is the number of 0's within one period; i.e., T B = W (yi T ) where y G y B . 
Following corollary is a direct consequence of Theorem 13.11 

Corollary 3.1: 

\y A \ = r A , \y B \=T B . 

Corollary 13.11 is one of the key results of this paper. Without this result, at first sight, it may look like the cardinalities of 
y A and y B are about the same [2]; however, as we show in the subsequent sections, this is indeed not the case. In fact, the 
cardinality of 3^4 (resp. y B ) is equal to the length of the output sequence z produced by the ABSG algorithm where z = C (y), 
y € yA (resp. y G y B )', replacing C with £>, same argument holds for the BSG algorithm as well. Next we proceed with 
Corollary 13.21 which, together with Corollary 13.11 constitute our main tools in deriving bounds on the periods of the output 
sequences of BSG and ABSG algorithms. 

Corollary 3.2: 

T A + T B = T. (6) 

Note that, Corollary 13.21 is a direct consequence of Corollary 13.11 and Remarks 13.51 and 13.61 

From Corollary 13.21 it is obvious that a lower bound for Ta directly implies an upper bound for T B and vice versa. In the 
next section, we derive lower and upper bounds for Ta and T B . 



C. Bounds 

Before proceeding any further, we note the following fundamental observation, stated in Remark [3~9l about the period of 
the output sequence z for both BSG and ABSG algorithms. 

Remark 3.9: Combining Proposition 13. II Definition 13.41 and noting that both BSG and ABSG produce an output bit at time 
instant i if and only if yi = 0, we conclude that the period of the output sequence z divides Ta (resp. T B ) if it is produced 
by some y£^A (resp. y G y B ). 

Now, we note our fundamental assumption: We assume that the output sequence z of ABSG and BSG algorithms has 
no subperiod (for an experimental justification, see [2], [3]); i.e., the quantity Ta (resp. T B ) is the least period of z if the 
corresponding input sequence y G 3^4 (resp. y G y B ). Next, we state some auxiliary results that are helpful in deriving bounds 
on Ta and T B . 

Lemma 3.7: For any three consecutive "run"^ in x, we observe at least one in the corresponding y sequence. 
Proof: Suppose we have runs ri,r2,r3 in x sequence, after the I th entry: 

x=(...,b r \b r *,b r °,...). 

Then, we have following alternatives from the definition of algorithm A: 

i) yi = if ri > 2, then y t+2 = 0; if r 1 = 1, then yi +ri +r 2 +i = 0; 

ii) yi = b^ y w = 0; 
iii) Vl = b => yi+n+i = 0; 

where b G {0,1}. ■ 
Remark 3.10: Given an (x, y) pair, such that y = A (x), Lemma 13.71 implies a bound on the minimum number of 0's in 

y given the number of runs in x. 
Proposition 3.2: 

[yl < T A < 2 L - 1 - 1. (7) 



Proof: We begin with the lower bound. From the definition of yA, we know, by assumption, that x, which forms y G 3^A> 
is a m-sequence, for which the total number of runs is 2 L_1 [1]. Partitioning all the runs of x into groups of 3 and using 
Lemma [3771 we obtain J < W (yf ). In addition, y T = 0, since y G y A - Thus, L^-g— J + 1 = \^f~\ < W (yf ) which 
forms our lower bound. Upper bound directly follows from the definition of algorithm A since there can be at most 1 bit of 
output (i.e., one instance of 0) per 2 bits of input x (equivalently 2 bits of y) and the length of x within one period is 2 L — 1 
[!]■ " ■ 

3 A related discussion on this issue was also provided in [2] without a rigorous proof. 
4 For a precise definition of a "run", see [1]. 



x 



Corollary 3.3: 



I 1 - 1 <T B <2 L (8) 
6 



Corollary 13.31 directly follows from Proposition 13.21 and Corollary 13.21 

Corollary 3.4: Assuming that all initial states of the LFSR are equally likely, we have 



Corollary 13.41 is obvious using Corollary 13.11 and Corollary 13.21 

Remark 3.11: Letting T 2 denote the average period of z (where the probability space is induced by all possible equally-likely 
initial states of LFSR, excluding the state of all zeros), using Corollary 13.41 and Remark 13.91 we have 

r z = Pr( y ey A )r A + Pr(y ey B )T B = - ■ (9) 

1a + 1b 



Following bounds on T z are direct consequences of Corollary 13.21 Proposition 13.21 and Corollary 13.31 

Corollary 3.5: 

r 2 L-l _ 1)2 + t 2 L-i\2 \^ + (2 L -l- r^l) 2 

V )_ <T < 1 6 I TV \_6jJ_ (10) 

2 L - 1 " - 2 L - 1 V 

The result ( flOb follows from straightforward calculus, where we perform constrained optimization with the cost function 

(O, subject to constraints ( 16I7I81 >. 

Remark 3.12: For large values of L, ( TTOb may be approximated by the following inequality: 

— 2 L <%< —2 L . 
18 18 

Remark 3.13: If the input sequence x is such that y = A (x) € 3^4 (resp. y = A (x) 6 3^bX then the output rates of both 
BSG and ABSG algorithms (recall the definitions of B and C) is given by ^ (resp. |^-). Further investigation of the output 
rate is worth pursuing, which constitutes the topic of Section [IV] 

IV. Probabilistic Setup 

In this section, we analyze the output rate of ABSG and BSG algorithms under the assumption that the input is a stochastic 
process (hence probabilistic setup). In particular, we assume that the input sequence is an evenly distributed binary sequence. 
Since all pseudo random number generators aim to produce sequences that "look" truly random, quantifying the behavior 
of BSG and ABSG algorithms with evenly distributed input sequences helps us to have a better understanding of these two 
algorithms. 

Since the output rate is directly determined by the number of 0's in the output sequence of algorithm A, denoted by {Yi} 
(given the length of the input sequence {X^}) for both BSG and ABSG algorithms, analyzing the probabilistic behavior of 
{Yi} suffices to quantify the rate distribution. In order to achieve this task, we initially focus on the distribution of the internal 
state variables, {Yi}, in Section HV-AI In particular, we derive the marginal probability distribution Pr (Yi) and the conditional 
probability distribution Pr (F^Yq -1 ) for some i > 1. Using these results for a fixed length input, we calculate the probability 
mass function of the output length (i.e., given AT, the number of 0's in Y^) in Section HV-BI which directly implies the rate 
distribution in the probabilistic setup. As a result, we derive the mean and variance of the output rate. In Section IIV-CI we 
extend our analysis to include the asymptotic behavior of the rate; in particular, we show that the output rate is concentrated 
around its mean with exponential tightness. 

A. Distribution of the Internal State Variables 
Definition 4.1: 

a n 4 Pr(y„ = 0), /3 n 4pr(r n = 0), 9 n 4 Pr(Y n = 1). 



9 



probability 1/2, then for n <E Z + , the 

(11) 
(12) 
(13) 
(14) 

Proof: See the Appendix UTIl ■ 
Next, we concentrate on the conditional probability distribution Pr (>^|Yq _ ). Using Definition 12.21 we immediately observe 
the following result: 

Corollary 4.1: From Table U we see that if the input sequence {X{\ is evenly distributed, the internal state sequence {Yi} 
is a Markov process with memory one and the initial condition Yq = 0, which implies 

Pr^lY*- 1 ) =Pr(Y i |y i _i), 

where, for all i > 0, 

Pr(K i - 0\Yi- X ^0) = \, Pr(Yi + 0\Y^ + 0) = i 

Pr(Y, - 0^.! - 0) - 0, Pr(r 4 ± 0\Yi^ = 0) = 1. 



Theorem 4.1: For algorithm A, if the input {Xi} is an i.i.d Bernoulli process with 
following four statements hold 



Oi2n 
/?2n = $2n 
«2n+l 
02n+l = &2n+l 



1 


2 






3 


+ 3 2 


1 


-i 2 






3 


3 


1 — 1 


1 


3 




— 1 








3 





-2n 



-2u 



B. Distribution of the Output Length and the Rate 

Since we aim to characterize the distribution of the number of 0's in Y^ (given N), we first define an auxiliary random 
sequence {Qi} for the sake of convenience. 

Definition 4.2: At each time instant i > 0, the random variable Qi is defined as 



Qi 



1, if Yi = 0, 
0, otherwise. 



Remark 4.1: Using Corollary 14. 1 1 and Definition 14.21 we observe that if the input sequence {Xi} is evenly distributed, the 
sequence {Qi} is a Markov process with memory one and the initial condition Qq = 1, which implies 

Pr^lQjf 1 ) =Pr(Q i |Q i _i) ! 

where, for all i > 0, 

Pr (Qi = l|Qi_i = 0) = i Pr(Q i = 0|Q<_ X = 0) = i 

Pr(Qi = = 1) = 0, Pr(Qi = 0|Qi_i = 1) = 1. 

Next, we derive the probability mass function (pmf) of W0 (Yf ) which will yield the probabilistic behavior of the output 
rate of BSG and ABSG algorithms. For the sake of convenience, we use the following definition. 
Definition 4.3: H = W (Yf ) = Wi(Qf ). 
Theorem 4.2: The probability mass function of H is given by 

( 2~ N+1 , for k = 0, 



Pr(ff = fc) 



^-fc-ij 2 _ (W _fc_i) + (^-1)2-^-*), for < fe < f and fc e Z+, (15) 
2 - ^, for TV even and k = =j. 



Proof: See Appendix IIVI ■ 
Next, we derive the mean and variance of -ff . 
Proposition 4.1: 



10 



Proof: We have 



N 



N 



E[H] 



i=l 

JV 

E 

y ~ 

N 

y " 



2 

' TV 

E 

,i=0 

2 
" 9 



1 

'2 

I 

1 

~2 



(17) 



- 1 



N 

y 



21 
3 _ 



(-1) 



1)^+1 

2; 



JV 



where (fTTT i follows from (fTTT i and ([TJl l. ■ 

Remark 4.2: The output rate of an algorithm is the reciprocal of the number of input bits needed to produce one output bit, 
so the output rate of BSG and ABSG algorithms is H/N, whose expected value is given by 

E[H] _ 1 2 2,1, 
~ 3 



E[H/N] 



(18) 



AT 3 9 N 9AT 2' 

Note that, (fT8l gives the analytical expression for the expected value of the rate, with the asymptotic value of 1/3; the 
asymptotic result has also been provided in [2], [3]. 

Remark 4.3: We note that, under the evenly-distributed input approximation in the deterministic setup, (fT8l implies that 
Ta ~ ? which is also justified by experiments (recall the results of Section IIII-Bb . Since Ta + Tb = T (Corollary I3.21 i. (fT8l 



also implies Tb 



2T 



Moreover, recalling Remark T3.13I this observation implies that the rate in the deterministic setup is 



about i under the evenly-distributed input approximation. Also, from ||9), we note that T z rj ^ under this approximation, 
which implies that the lower bound of Remark 13.121 is tighter than its upper bound counterpart. 
Proposition 4.2: 

„ ,m 2 2N 2 (±N 2w 1\W 4/1 



27 81 V 27 81 



81 V4 



(19) 



Proof: See the Appendix IVl ■ 
Next, we aim to find out the concentration of the rate around its mean. Since the actual distribution is difficult to handle, 
we analyze it asymptotically, which is the topic of the next section. 

C. Asymptotic Behavior and Bounds 

In the discussions and developments presented in this section, we heavily make use of "attributes", "recurrent events" and 
their properties. A comprehensive reading about this subject is given in Chapter XIII of [12]. 

We term e to be an "attribute" of the finite sequence (A. n , Ai 2 , . . . , Ai n ) if it is uniquely determined whether this sequence 
has, or has not the characteristic e. Then, the statement "e occurs at the n-th place in the sequence {A^ }" is equivalent to 
saying "the subsequence (A^ , Ai 2 , . . . , A,- n ) has the attribute e" [12]. 

Definition 4.4: [12] The attribute e defines a recurrent event if: 

• In order that s occurs at the n-th and (n + m)-th place of the sequence {A,^ }™^™ it is necessary and sufficient that e 

occurs at the last place in each of the two subsequences {j4i 3 .} n _ 1 and {-A^-}' 

• Whenever this is the case, we have 



I n+m 
'j=l 

ij—n+V 



Pr , Ai 2 , ■ ■ ■ , ^i„ +m ) — Pr (A^ , Ai 2 , . . . , Ai n ) Pr [Ai n+1 , Ai nH 



,A 



Definition 4.5: We define the attribute ( such that it is said to occur at the rt-th place in the (potentially infinite) sequence 

{Qi} if Qn = L 

Lemma 4.1: The attribute Q defines a recurrent event. 

Proof: First, we note that, in order to have £ occurring at the n-th and (n+m)-th places of the sequence (Qt, Q2, ■ ■ ■ , Qn+m), 
it is necessary and sufficient to have Q n — Q n +m — 1, which implies that ( occurs at the last places of the two subsequences 
(Qi, Q2, ■ ■ ■ , Qn) and (Qn+i, Qn+2, ■ ■ ■ , Qn+m)- Furthermore, because of the Markovian property of {Qi} and the initial 
condition Qq = 1, we have 

Pr [( occurs at the n-th and (n + m)-th places of (Qi, Q2, ■ ■ ■ , Qn+m)] 
= Pr(Q n+m = l,Q n = 1\Q = 1) =Pr(Q n+m = l\Q n = 1) -Pr(Q n = 1\Q = 1) 
= Pr [£ occurs at the n-th place of (Qi, Q2, ■ ■ ■ , Qn)] 
■ Pr [( occurs at the (n + m)-th place of (Q n+ i, Qn + 2, . . . , Q n +m)] , 
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which implies that £ is recurrent. ■ 
Lemma 4.2: The recurrent event £ is persistent. 

Proof: We recall that [12] ( is persistent if 2^=i /« = 1> wnere 

/„ = Pr (£ occurs for the first time at the n-th trial) . (20) 

Hence, 

f n = Pr (Qi = 0, Q 2 = 0, . . . , Q n _i = 0, Q n = 1\Q = 1) . 

Thus, clearly 

h = 0. (21) 
For n > 1, using the Markovian property of {Qi} and Corollary 14. II we obtain 



/„ = Pr(Qi=0|Q o = l) 
v * ' 

i 



n-l 



l[Pr (Qi = 0|Qi_i -0) 

»=2 ^ ' 

1/2 



Pr(Q„ = l|Q„_i = 0) 



1/2 

2 -(n-l) 5 (2 2) 



which implies 



2/ 2^\2 1-1/2 

n=0 v ' 



1. 



Theorem 4.3: Asymptotically, as N — > oo, is Gaussian distributed with mean A/3 and variance 2N/27. 

Proof: First, we note that H represents the number of occurrences of £ in the first N trials. Next, we introduce the 
random variable T such that 

Pr(T = n) =/„, 

where /„ is defined in ( f20b and its value is given in ( 121122b . Note that, T can also be referred to as the recurrence time of £. Let 
[It and a\ represent the mean and variance of T, respectively. We know that, if fir, a\ < oo, as A — > oo, H ~ A/" f^Ti ^p 21 ) 
([12], p. 297, Theorem 1). Before proceeding further, recall the following standard results from Calculus: Given a < 1, we 
have 



oc 



El \ - . i a \ - .0 • a (1 + a) 



Using (121122123k we get 

00 00 ■ 00 / -1 \ i 1/9 

— m-^-g^-'S'G)- 1 -^- 1 -* 

4 = E (T») - A = £ ,*/, - A = £ > 2 i - 9 = 2 £ ' 2 (5) ' - 10 = 2 (1/2)(3/2) 

i=l i=2 i=0 ^ ' 



(23) 



(1 - 1/2) 3 
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which are obviously finite, consequently — y and = ^y- 
Corollary 4.2: We asymptotically have 



3N '2 



M|H-E m i> 1 E m) » ! ,^j< 7 =^ pe ^ 1 

where Q (x) = J^ -^e - * 2 / 2 cZ£. Hence, H is asymptotically exponentially tight around its mean value A/3. 

Corollary 14.21 directly follows from Theorem 14.31 the definition of the Q-function and the well-known upper bound of 



Q(a) < ^e- a /2 - 

Next, we illustrate the aforementioned results via an experimental study. In Fig. [2] we compare the actual distribution of 
H = W0 (Y^ ) = Wi (Qi ) (given in Theorem 14.2b with the asymptotically-converging Gaussian distribution (given in 
Theorem 14.3b . In the left panel, we compare the corresponding c.d.f.s (cumulative distribution functions); in the right panel, 
the relative entropy (Kullback-Leibler) distance is used as the basis of comparisorfl. We note that even for remarkably small 
values of A for cryptographic purposes (e.g., A — 100), the asymptotic Gaussian approximation is valid in practice. Recall 
that the case of length- A roughly corresponds to a length-log A LFSR in practical implementations; thus, our experiments 
reveal that convergence to Gaussian approximation is remarkably fast. 

5 Recall that for two distributions p(t) and q(t), the relative entropy between p and g is given by D (p\\q) = f t p (t) log dt. 
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Fig. 2. Comparison of the actual distribution of H = W0 t^x ) = Wi (Qf ) given in Theorem 14.21 and the asymptotically-valid Gaussian distribution 
given in Theorem 14.31 (a) the comparison is done via plotting c.d.f.s (cumulative distribution functions); the dotted, dash-dotted, and dashed lines show 
the actual c.d.f. of H for N = 10, N = 100, N = 1000, respectively; the solid line represents the Gaussian approximation; (b) we compare the actual 
distribution of H and the Gaussian distribution in the sense of relative entropy (also known as Kullback-Leibler distance) as a function of the length of the 
sequence, N. 

V. Conclusion 

In this paper, we develop a further theoretic understanding of BSG and ABSG algorithms and analytically quantify periodicity 
and output rate properties. As far as the input sequence is concerned, we consider both deterministic and probabilistic setups; all 
of our results hold both for BSG and ABSG algorithms. In the deterministic case, we derive fundamental results on periodicity 
properties, where we assume that the input is a m-sequence. We prove that there are exactly two different disjoint sets of 
output sequences; in addition, any element in one of these two sets is a proper shift of any other element in the same set. 
Moreover, by using this partitioning, we derive bounds on the expected output period under the no subperiod assumption. In the 
probabilistic setup, we assume that the input is a realization of an i.i.d Bernoulli process with probability 1/2. We derive the 
probability mass function of the number of output bits given the input length and analytically derive the output rate. Moreover, 
we prove that the aforementioned distribution converges to a Gaussian distribution as the sample size tends to infinity. Further, 
we use this result to show that the output rate is exponentially-concentrated around 1/3, which is a notable property of BSG 
and ABSG. 
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Appendix I 
Proof of Lemma lOI 

i) Since Lemma [331 is valid for all i, k, k < i, it directly implies that 

[Vk = 0] [y = (y, k)\ , 

where y = A ((x, k)). Hence, in order to prove part (i) of Lemma [3~31 we need to show that 

[y = (y,fc)] [yey A ]. 

Note that, y is generated by (x, k), which is a m-sequence as well [1]. This means 

[yr = 0] [ye y A ] . 

Thus, in order to prove part (i) of Lemma 13.51 it is sufficient to show that 
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Now, we have 

= yk, (1-2) 

= yr+k, (1-3) 

= Vt, d-4) 

where dl-2l ) follows from the assumption of part (i) of Lemma 13.51 ( 1I-31 > follows from the fact that y G 3^4 and is 
T-periodic, ( 11-41 ) follows from the definition of y. Hence, (II- 11 1 follows, that completes proof of part (i) of Lemma [33] 
ii) Using arguments similar to those of part (i) and using the fact that x is T-periodic, one can show that in order to prove 
part (ii) of Lemma 13.51 it is sufficient to show that 

[y = (y,i)] => [vt^z], d-5) 

where k = j mod T. Note that, since y e J^s, we assume without loss of generality that < j < 2T since y is 
2T-periodic per definition. In other words, we prove the claim for the first period and in that case it trivially holds for 
all the other periods. Thus, we only need to deal with two cases: j = k and j = k + T, where < k < T. First, assume 
Uk = 0; then, we have 

= yk, (1-6) 
= y2T+k, (1-7) 

- V2T, d-8) 

where ( 11-61 ) follows from the assumption of y k = 0, ( 11-71 ) follows from the fact that y 6 3^s an d is 2T-periodic, ( 11-81 ) 
follows from the definition of y. Per Lemma 13.41 ( 11-81 ) implies ijt ^ 0- Hence, the statement ( 11-51 ) is valid for j = k, 
< k < T. Using similar arguments with j = k + T instead of j = k, it is obvious that dl-5l ) is also valid for the case 
of j = T + k, < k < T (where y T+k = 0). 

□ 



Appendix II 
Proof of Lemma [3~61 

We begin with defining the concepts that will be used in the proofs of both part (i) and part (ii). 

acting on the triplet (xi,X2,X3) [11], 



First, we define the permutations e, a, f3, r],9,j G S3 
V ■ 



%3 



X2 
%3 



Xl 
X2 
X3 



Xl 
X3 
X-2 



Xl 
X2 
X3 



X2 
Xl 
X3 
_ A 



0: 



Xl 
X2 
X3 



X2 
X3 
Xl 



a 



Xl 
X2 
X3 



X3 
Xl 
X2 



7 : 



Xl 
X2 
X3 



X3 
X2 
Xl 



Next, we concentrate on the first T samples of x and x = (x, k). Here, since both x and x are m-sequences (i.e., both 



are T-periodic), we have = (x^,x^ +1 ) and xf = (x^ 



■ '' k Xy_ fc+1 ) = (xj +1 ,xf). Fixing x^" and x^ +1 , we define the 



mappings 



such that 



ip : S 1— ► S, and tp : S 1— » S, 



u = M k (s,x. k ) 
u = M T ~ k (s,^ +1 ) 



[u = ip (.?)] 
[u = tp (s)] ^= 

for any s , u E S (recall Definition 12.61 ). Next, recalling Remark 12751 we note that cp, ip G S3. 

Now, we proceed with the proof Lemma 13.61 First, note that for the case of y = y, the lemma trivially holds with k — 
recalling the assumption of yo = for A. Next, we consider the case of y ^ y and discuss each part of the lemma separately, 
i) Since y G 3^4 per assumption of the part (i) of lemma, it should be produced by a m-sequence that is a shifted version of 
x, where y = „4(x). Since any m-sequence for a given feedback polynomial is a shifted version of another m-sequence 
for the same feedback polynomial [1], there exists some k G {1, 2, .... T — 1} such that y = A ((x, k))\ furthermore, 
such a k is unique because A(-) is one-to-one (recall Remark [3~TT ). Hence, proving part (i) of Lemma [3~6l reduces to 
showing y k = 0. 

Next, we define the auxiliary state variable sq = (0, 0, 1) G S and use it as the reference point. Note that since y, y G 3^4, 
we have = yr = yr- Also, since T = 2 L — 1 is odd, permutation order of A4 T is 2 (Lemma 13.21 ). This implies that 



M T (s ,xf) =M T (so,*!) = (0,1,0) 



(H-l) 
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Moreover, for fixed xf (hence for fixed xf since if = (x^ +1 ,x^)), ( III-lb is equivalent to 

ip ° f (so) = p o ip (s ) = (0, 1, 0) T . 
Due to the definition of 77 £ S3, this further implies 

ipop = poip = rj. 

Since r/ ^ e, p and t/> cannot be inverses of each other. Furthermore, S3 is non-abelian, so we necessarily need to have 
one of the two following cases: 

- Case 1: tp = e and ip = rj , 

- Case 2: ip — e and tp = r\ . 

Now, observe that in both cases, tp preserves the location of the first element, i.e., the first element of tp (sq) is equal to 
0. Hence, we necessarily have — 0, which completes the proof of part (i). 
ii) Since y £ per assumption of the part (ii) of lemma, it should be produced by a m-sequence that is a shifted version 
of x, where y = A (x). This implies that there exists some fc £ {1, 2, . .. ,T — 1} such that y = A ((x, fc)); furthermore, 
such a k is unique because *4(-) is one-to-one (recall Remark [3. 11 1. Also, recall that Lemma l3~4l implies both yu and 
yr+k cannot be at the same time. Hence, the remaining task is to prove yj = for j = k mod T for some unique 
j £ {1, 2, ... , 2T — 1} since 3^b is 2T-periodic (i.e., it is sufficient to show either y^ = or yr+k = 0)- 
Now, using the same reference point s as in part (i), and noting that since y,y £ ,Xb, we have and t/t ^ 0. 

Also, since T is odd, permutation order of M. T is 2 (Lemma |3. 21 ), which implies for y 

M T (s , xf ) = (0, 0, 1) T or M T (s , xf ) = (1, 0, 0) T , (II-2) 

and for y 

M T (s , if ) = (0, 0, 1) T or A4 T (s , if) - (1, 0, 0) T . (II-3) 
Moreover, for fixed xf (hence for fixed xf since xf = (xf +1 ,xk)), dll-2b and ( M-31 l are equivalent to 

0o<^(s o ) = (0,0, 1) T or Vo(^(s ) = (1,0, 0) T , 

and 

po ip(s ) = (0,0, 1) T or po ip(s ) = (1,0, 0) T , 

respectively. 

Due to the definition of 9 £ S3 and 7 £ S3, this can also be rewritten as 

ip o p = 9 or ip o p — 7. 

and 

p o ip = 6 or p o ip = 

respectively. 

Now, the tedious part of the proof begins. We have following four possibilities: 

- Case 1, tpoip = ipotp = 9 : Using similar arguments to those used for the proof of part (i), one can show that we 
either have (p = e, ip = #)> or, (ip = 9, ip = e). If (p — e, ip — 9) (resp. (p = 9, ip = e)), then y^ = (resp. 
y T +k = 0)- 

- Case 2, potp — tpop — j: Using similar arguments to those used for the proof of part (i), one can show that we 
either have (tp = e, ip = 7), or, (p. = 7, ip = e). If (tp = e, ip = 7) (resp. (tp = 7, ip = e)), then y^ = (resp. 
yr+k = 0)- 

- Case 3 , (ip o tp = 7, ip o ip = 0) : Obviously, we have p ^ e and ip ^ e (suppose not; this means the one which is 
not equal to e should be equal to both 7 and 8, which leads to contradiction). Also, noting that 

[iP = e ) ^=> [(p = 7] , 

we conclude 1/5^7; from symmetry, this also means ip 7^ 7. Similarly, we also see that p ^ 9 and ip ^ 8. Thus, 
93, ^ {e, 7, i.e., tp, ip € {77, a, /?}. Before proceeding, note that the permutation order of i] (resp. a and /3) is 2 
(resp. 3). Now, we have the following alternatives for the "parity" of k: 

1) k is odd: The permutation order of p is 2, which directly implies p = r\. Hence, y^ = 0. 

2) k is even: In this case, T — k = 2 L — 1 — fc is odd, which means the permutation order of ip is 2, i.e., -0 = V- 
Also, note that the permutation order of ip o p is 2 since T is odd, which implies e~ipopoipop (see the proof 
of Proposition I3.lt . Thus, 

tp o tp o tp = ip^ 1 = r/ _1 = rj. 
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This implies, yr+k = 0- 
- Case 4 , (i/j o cp = 0, (p o ip = j) ■ Using symmetry, the proof of case 3 also applies here. 
Hence, we necessarily have either yu — or yr+k = 0- 



□ 



Appendix III 
Proof of Theorem 14. II 

In order to prove Theorem 14. 11 we first provide Lemmas IlII. 1 1 1111.21 and IIII. 3l We show that Lemma [III. 1 1 (resp. Lemma |HI.2| ) 
implies Lemma Hll.2| (resp. Lemma [ill. 31 ). Finally, we use Lemma [ill. 31 in the proof of Theorem 14.11 Throughout this section, 
uppercase boldface letters denote matrices (in contrast with the rest of the paper). 

Lemma III.l: Given the kxk matrix U, where 



a a 



for some a G R, we have 



U™ = {ka) n - x \J, for n 6 Z^ 



(m-i) 



Proof: We follow proof by induction, 
i) for n = 2: 

Note that U = avv T , where 



v= (1,1,..., if, veM fe , 



is a kxl vector. As a direct consequence, we can write 

U 2 = a 2 v/Vv T = fca 2 vv T — bav/ = fcaU. 

k U 

ii) for n > 2: 

Suppose the claim holds for n — 1; i.e., U n_1 = (ka) n ~ 2 XJ . Then, 



U n = UU"- 1 = U {kaf- 2 U = (ka) n ~ z U 



\n-2 XT 2 



Using ( |III-3l l in ( IIII-4b . we have 



U" = (ka) n ~ 2 (ka) U = (fcaf - 1 U. 



(111-2) 
(111-3) 

(111-4) 
(111-5) 



Lemma 111.2: Given the kxk matrix V, where 

a + 1 a 



A 



a a + 1 



a a 
a a 



a a 
a a 

a + 1 a 

a a + 1 



for some «el,we have 



where W = vv T , v is defined in (1III-2I ). and I is the kxk identity matrix. 
Proof: Note that V = I + U, where 

U = aW = qvv t , 



as defined in (IIII- lb . Hence, 

n 

v" = (i + u) n = ^(''. t )u i i n - < = i + ^( u )u i i n ^ = i + ^(''.')u i 



i=l ^ ' 

ka L — ' \ i 1 

i=i 



ka 



= I + U— [(l + fca) n -l] 
ka 



(III-6) 



(III-7) 



(III-8) 



(III-9) 
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where (IIII-8I 1 follows from Lemma Him and flIH-9t follows from dIII-7| >. 
Lemma III. 3: Defining 



for all n G Z + we have 



where 



A 2n = 

I 1 1 

1 1 1 

1 1 1 



1 1 

1 1 
1 1 



I 3 + -(2 2n -l)W 3 , 
A + ^(2 2 "-l)W 3 , 



(III- 10) 

(IH-11) 
(III- 12) 



Proof: A straightforward calculation shows 



A = 



and I3 = 



2 1 1 
1 2 1 
1 1 2 



1 
1 
1 



which satisfies ( IIII- 1 lb - Hence, A 2 is of the form d!II-6b with k = 3 and a = 1, which also implies that A 2 = I3 + W3. Now, 
using Lemma fill. 21 we have 

4" — 1 1 
A 2 " = I 3 + — — W 3 = I 3 + -(2 2 " - 1)W 3 , 



which proves (IIII- 1 11 1 . Next, we note that 





" 


1 


1 " 




' 1 


1 


1 " 


AW 3 = W 3 A = 


1 


1 







1 


1 


1 




1 





1 




1 


1 


1 



2W, 



1)W 3 )A 



Thus, we have 

A 2n+i = a 2 "A = (I 3 + i(2 2 " 

3 

= A+i(2 2n -l)W 3 A 
= A+^(2 2 "-l)W 3 , 

where (IIII- 14b and dill- 1 51 > follow from ( IIII- 1 11 1 and (IIII- 1 31 >, respectively. Hence, the proof of (IIII- 121 ). 
Next, we proceed with the proof of the theorem. Because {Xi] is evenly distributed, we have 



(III- 13) 



(III- 14) 



(III- 15) 



Pr(X n = 0)=Pr(X„ = l) = -. 



Using the definition of algorithm A (see Table Q}, we write 



On = - {Pn-l + 9n-l) , 
Pn = 2 ( a ™-! + Pn-l) , 
®n = ^ ( a «-l + 6n-l) , 



which implies 



1 



;Ap r 



where A is defined in dlll-lOt and p„ = [a n , (3 n , 9 n ] T with the initial condition po = [1, 0, 0] T . Therefore, 

Vn G Z+, p„ = 2-"A"p . 



(Ill- 16) 
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Next, 



P2r 



2 -2n A 2» po 



= 2~ 



I 3 + -(2 2 "-l)W 3 



1 



Po 



2" 2 "Po + 3 (1 - 2- 2 ") 



" 1 " 


1 




1 




I— 1 


~ 3 



1 + 2- 2n+1 
1 - 2~ 2rl 
1 - 2~ 2 ™ 



where (IIII- 17b follows from (MI- 16b . ( IIII- 1 81 > follows from ( IIII-l lb . Hence the proofs of (Qj} and (O. Similarly, 

_ _ 9 -(2n+l) A 2n+1_ 

P2n+1 — ^ A PO 



A + - (2 2n - 1) W 3 



Po 



(III- 17) 
(III- 18) 

(III- 19) 

(IH-20) 
(111-21) 



2 -(2n+l) Apo + I (1 _ 2 - 2 ") W 3Po = 2-< 2n+1 ) 

3 



1-2 



-2n\ 










+ 2~ 2n 


( 


1/2 






1/2 






1 Q-2n 
2 Z 




l 2 -2„ 





where (IIII-20b follows from (IIII- 16b . ( IIII-21b follows from <MI-12b , Hence the proofs of (TJl and (O. 

Appendix IV 
Proof of Theorem I4.2I 

Note that, given any I > 1, we have 

Pr(Q n+J = l,Q„ +i _ x = 0,...,Q n+ i = 0\Q n = 1) = Pr (Q n+i = l|Q n+i -i = 0) x 

1 

2 

xPr(Q„ +1 =0|Q„ = l) 

S v ' 

1 



□ 



n+l-2 



k=n+l 



TT Pr(Q fc+1 =0|Q fc = 0) 

V v ' 

1 

2 - 1 

(IV-1) 
(IV-2) 



where (II V- 1 b follows from the fact that {Qi} is a Markov process with memory 1. Since 

Pr(Q i+1 = l\Qi = 0) = Pr(Q 4+1 = 0\Q t = 0) = 1/2, 

we also have 

Pr (Qn+i = 0, Q n+ i-x = 0, . . . , Q n+ i = 0\Q n = 1) = 2-('- 1 > . (IV-3) 
First, considering the trivial case of no "l"s in Q^, applying ( IIV-3b we get 

Pv(H = 0) = 2-^-^, 

which constitutes the first line of dT3T >. Next, assuming Wi (Qi) > 0, we consider the two following cases (under the 
assumption that Qo = 1): 

• Case 1 (Qn = 1): Suppose S {0, 1} is a sequence with k "l"s, where Qn = 1- This means that we have k "run"s 
of "0"s between these "l"s; let U — 1 denote the length of the z-th run of "0"s, 1 < i < k: 

^ (^^0 ,1, (^^0 ,1,0,. ..,0,1, (^^0 

Qo length Zi 1 length l 2 - 1 length l k - 1 Qn 



i=l 



Here, note that 

^2 h = N - Th en, using this result, the Markovian property of {Qi} and ( 1IV-21 > we have 

k 

Pr(Qf) =f[2-^-^ =2-[(^=i'0- fe ] =2-( w ~ fc ). 
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The remaining task in this case is to "count" the number of such {Q^} (i.e., the ones with Qn = 1). Per assumption 
and the description of mapping A4, we have Qi = and Qn = 1, which leaves N — 2 symbols. Since we necessarily 
have a "0" coming after a "1", this means we aim to find the number of different ways to put k — 1 patterns of "10" in 



a sequence of length N — 2 if H = fc. In this case, we have a total of ( N k _i X ) such possibilities. Hence, 

'N - k - r 



Pr (ff = k , Qat = 1) 



)2-(*-*) forl<fc<f, fceZ+. 

K — 1 ' 



(IV-4) 



Case 2 (Qjy = 0): Suppose Qf 6 {0, 1} W is a sequence with fc "l"s, where Qn = 0. In this case, we have fc + 1 runs 
of "0"s. Again, let U denote the length of the i-th "0" run, 1 < i < k + 1: 

Qn 

^ p,o q ,i, p,o ,q ,i,o,. ..,o,i, p^.-.q ,i, p,o,...,^ 

Qo length h-1 length l 2 -l length l k - 1 length l k+1 - 1 

fe+i 

Note that, in contrast with case 1, here li = N + 1, Using this result, the Markovian property of {Qi}, (1IV-21 I. and 
( 1IV-31 > we have 



2 = 1 



Pr(Qf) = 



Next, we "count" the number of such that = 0. Following similar arguments to those of case 1, here we aim to 
find the number of different ways to put k patterns of "10" in a sequence of length N — 1 if H = k. In this case, we 



have a total of ( N £ 1 ) such possibilities. Hence, 



Pit// ■ = /.-. () y = 0) = [ N fc % (A ' v " lor 1 : /,••■ 4- /•' € Z< 



(IV-5) 



Using dTV-41 and dT¥3l l in 



Pr(# = fc) =Pr(ff = fc, Qat = 0) + Pi(H = k,Q N = 1) 



we obtain the second line of $15[ . 

Assuming that N is even, the case of Wi (Qij = A^/2 deserves separate attention. In this case, observe that we necessarily 
have Qn = 1, which implies that fl!V-5t does not hold. Using fc = N/2 in (|IV-41 i yields the third line of (fl3T l. □ 



Appendix V 
Proof of Proposition s. 21 

First, note that (recalling Qq = 1 with probability 1 per assumption) 

Pr(Q i = l)=Pr(Q i = l|Q Q = l) = i + H/'-i 



i > 0, 



(V-l) 



from (fTTT i and (fT~3T >. Next, noting that Pr(Qj|(3j) depends only on j — i for j > i from the definition of Ai, we also have 



1 2 / 1 XJ 8 



Pr(Qj = 1|Q< = 1) = Pr(Qi-< = l\Qo = 1) = 3 + 3 



Using ( I V-l I ) and dV-21 ). we get 

Pr(Q l - l,Qj = 1) 



Pr(Q* = l|Qj = l)Pr(Qj = 1) 



1 2/1 
9 + 9 V 2 



1 2/1 



3 3 



for j > i > 0. 



1 2/1 
3 + 3 V 2 



(V-2) 



3 > i > 0. 



(V-3) 
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Next, we have 
E [H 2 ] = E 



JV 



JV 



i— 1 J i— 1 

JV JV 

= E E t^]+ E E[Q i Q < ]=^Pr(Q < = l)+ E Pr(0 J - = l,Oi = l) 

i=l Vij',i#j *=1 Vij',i/j 

iV iV-1 JV 

= ^Pr(Qi = l) + 2^^Pr(Qi = l,0i = l) 

i=l j=i+l 



i=l 
JV 

E 



1 2/1 
3 + 3 V 2 



JV-1 JV 

+ 2E E 

Z— 1 J--2+1 _ 



i 2/ i\ 4 / i 

9 + 9 V 2 J + 9 V 2 



TV TV 2 - iV 2 

y + 



9 



TV 2 + 27V 2 



E -5 E 



9 



9 



-1 



TV 2 + 27V 2 



9 9 

JV-1 



2 J 9 

JV" 



i=l .7=1+1 
i JV-1 



9 



N 



£ E 

27 ^ 



i=i 



JV 



E 

i=l 
. N-l 

-y 



(JV-£) 

(N-i) 



IV 

2 



J 2 
+ 9 

2 

, JV-1 



9 



E 

i=i 



2 

1 

~2 



(V-4) 



JV 

E 

j = 4+l 



2 



JV-i 



1 



A^ 2 + 27V 


2 


9 "» 


" 9 


8 


(- 


27 




3iV 2 + 2iV 


- 2 


27 




37V 2 + 2iV 


- 2 


27 




97V 2 - 67V 


+ 6 


81 



-1 



A' 



127V -8 
27 



JV-l 



E -i 



JV-1 

E 



JV 4 JV-1 



27 



A 



E 

i=l 



1\^ 1 4 (JV-1) 



A 



A r 



87V- 


2 


127V- 


4 


27 


- - 


27 




8JV- 


2 


127V- 


4 


27 


- - 


27 




8JV- 


2 






27 


5 







27 

JV-1 , v JV-1 

e4 - e 

»=1 v 7 1=1 
1_2 f_V N ~ 
3 3 V 2 



M ~2 



2 6JV — 2 / 1 
9 if" 



JV 



where (1V-41 > follows from (IV- U and dV-3t . Furthermore 

^2 



(E[H])^ = 



37V - 2 2/1 
9 + 9 V 2 



JV' 



97V 2 -127V + 4 4 fl\ N 127V - 8 / l x A 



81 81 V4 

where (|V-6b follows from (O. Combining ( |V-5b and (|V-7t , ( fl"9l follows 



81 



(V-5) 

(V-6) 

(V-7) 
□ 
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